2014.12.17 Tech Corner

Top 3 Reasons Business Associates are Ignoring HIPAA Regulations

Article By: Rich Silva – Founder – Pain Point IT Solutions, Inc.

Starting in October of 2013, the Office of Civil Rights (OCR) has been conducting audits of Covered Entities (CE’s) and quite frankly finding enough violations that turn into settlements to make this a very profitable undertaking for them. Don’t worry, when the CE’s get with the program and that money well dries up for the OCR, they already have laid the foundation on who to target next. Business Associates (BA’s), are defined as any entity that CE’s work with or for who COULD potentially come in contact with a medical record whether it be a physical piece of paper, or an electronic version of a record (ePHI). Some examples of BA’s are attorneys, accountants, data center and cloud providers, shredding companies, document storage companies, collection agencies, EMR companies, EHR companies, bankers, revenue cycle management vendors, transcribers, and the list goes on. So why aren’t BA’s taking the necessary steps to complete risk assessments NOW in order to prepare for the inevitable ?

1) “HIPAA compliance is for doctors offices and hospitals”

While the initial intention for HIPAA was to lay out the rules pertaining to the handling of personal health information (PHI), it was purposely left vague and did not specifically say only doctors offices and hospitals are responsible for the safe keeping of these records. Guess what, in 2013 the law was amended by the Omnibus rule and now defined Business Associates and their roles in HIPAA when working with the CE’s.

2) “I’m too small of a practice to be audited, no need to do a risk assessment until the heat is turned on”

The OCR went after the big one’s first and are making out pretty well financially if I do say so. Don’t take my word for it, at the bottom of the newsletter below is a link to their website where they toot their horn. Like a growing company, they will re-invest those “profits” and grow their business and outreach to target you too. When they do make the call, wouldn’t you rather have your attorneys tell them that you have already taken the preliminary steps and had an IT risk assessment done ? Or, do you prefer the deer in headlights approach ? Guess which one the OCR will probe if given the choice.

3) “HIPAA ? What is HIPAA ?”

Sure, most of you have heard of HIPAA and about how Uncle Sam has put together a plan to protect patients data. However, most do not know how this affects them as a business and let’s be honest; most of the people in congress who passed these laws haven’t even read it, so don’t feel bad that you haven’t. However, my goal is to raise awareness and at least have my audience thinking about this law that some day, in some way WILL AFFECT YOU or YOUR BUSINESS.

How Can You Prepare ? Call Pain Point IT Solutions.

Pain Point IT Solutions can provide you with an IT risk assessment report for your business that will point out where you need to improve your systems to be compliant with the current law. The assessment tools we use were specifically developed for HIPAA risk assessment and continue to evolve as the HIPAA rules and audit program evolves. At the end of the risk assessment, at worst, you will have a report that you can use as proof that you are taking this serious when the OCR comes a knocking. At best, you will understand clearly what you need to do to confidently tell your CE’s that yes; I’m HIPAA compliant, do business with me. Contact us at 845-249-2889 or e-mail us at gotanitpainpoint@painpointitsolutions.com to set up a 10 minute phone call with me. I guarantee you’ll see the way I think about you and your organization’s short and long term IT planning differs from what you have in place now.